This is me giving the big non-committal shrug.

if that's what red hat wishes to do with the fedora package of yum
that's fine by me.

it's a config file change.

I definitely think it should default safe. Even if it then points the
user at a URL about keys and stuff, it should stop errors first IMHO

While I agree the default should be "safe", I see no
reason to diverge from upstream. yum is installing packages well,
adding key ring management to that task will decrease reliability.

I'm not sure I understand Comment #3.  Yum already has GPG key
checking included (via the RPM database, like up2date), it is just not
configured to use it by default.

I'm fine with gpgcheck=1 being on in yum. Installing keys is not
difficult, there are LOTS of instructions for how to do it and yum
exits reasonably nicely with an error about how the user should either
install the right keys or disable gpgcheck=1.

I agree that gpgchecks are a good idea, I'm just not sure how much
they matter considering users don't pay attention to them anyway..